Differential D20710
fcntl: fix overflow when setting F_READAHEAD Authored by asomers on Jun 20 2019, 3:26 PM. Tags None Referenced Files
Subscribers
Details fcntl: fix overflow when setting F_READAHEAD VOP_READ and VOP_WRITE take the seqcount in blocks in a 16-bit field. Tested with a simple C program and a dtrace script. The C program sets seqcount.c#include <err.h> int main(int argc, char **argv) const char *filename = argv[1];
int seqcount = atoi(argv[2]);
int fd;
void *buf;
buf = malloc(65536);
fd = open(filename, O_RDONLY);
if (fd < 0)
err(1, "open");
if (fcntl(fd, F_READAHEAD, seqcount) < 0)
err(1, "fcntl");
if (read(fd, buf, sizeof(buf)) < 0)
err(1, "read");
return (0);} invocation:sudo dtrace -i 'fbt:kernel:ffs_read:entry {printf("seqcount=%d", args[0]->a_ioflag >> 16);}' -c "./seqcount sparse 2147483647"
Diff Detail
Event TimelineComment Actions Looks like you could get a similar overflow by having 64k readers on a pipe too (fs/fifofs/fifo_vnops.c). You could also overflow in sequential_heuristic() if uio_resid is big enough (especially with a narrower f_seqcount).
Comment Actions Fix an overflow in sequential_heuristic introduced by reducing the size of Comment Actions Actually, I don't think the usage in fifo_vnops.c is a potential overflow. AFAICT fifos use that field for a completely different purpose. It really should be a different field (and in fact, it used to be). See r238936.
Comment Actions Interesting, thanks. It still seems like it could overflow, especially if the f_seqcount value is shrunk past int — it's later compared against the pipe's wgen, which is an int. We could instead do something like: union {
intXX_t f_seqcount;
int f_pipegen
};That way it is clear the repurposing is intentional and correctly sized for fifofs' use.
Comment Actions FYI, I discovered that f_seqcount needs to be int16_t rather than int8_t in order to detect an overflow. Otherwise the slightest overflow of IO_SEQMAX will wrap. Comment Actions Wrap where? If we can overflow at 8 bits, the margin for overflow at 16 isn't great (at most an extra factor of 256x). That condition may need to be fixed either way. Comment Actions Wrap in vfs_vnops.c at line 502. Currently, the largest possible overflow is about 2x. So using an int16_t makes it safe. Comment Actions Oh, I see, the expression is just incorrect. Should be something like: fp->f_seqcount = MIN(IO_SEQMAX,
fp->f_seqcount + howmany(uio->uio_resid, 16384));(The type of uio_resid is ssize_t, so that expression should be evaluated as ssize_t and not overflow before truncation to IO_SEQMAX.) The fact that the current code violates IO_SEQMAX is a problem even if it no longer wraps with int16_t, I think. | ||||||||||||||||||||||||||||||||||||||||||||||||||||